add notes about compiler poc and solar winds mitigation

This commit is contained in:
Anton Livaja 2024-08-21 13:22:55 -04:00
parent beea47e1f6
commit 778774fe33
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 34 additions and 0 deletions

View File

@ -97,6 +97,11 @@ toolchain -->
<!-- https://distrowatch.com/images/other/distro-family-tree.png --> <!-- https://distrowatch.com/images/other/distro-family-tree.png -->
<!-- TODO: libfakerand to act as the "why" --> <!-- TODO: libfakerand to act as the "why" -->
<!--
* Create modified compiler which injects libfakerand during build time
* Use it to compile software from source, for example bitcoin core
* Show that the wallet generated with bitcoin core is not random
-->
--- ---
@ -174,6 +179,35 @@ StageX allows us to bootstrap the compiler toolchain, making it easy to verify t
--- ---
# Solar Winds
According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
> * SUNSPOT is StellarParticles malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
> * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
> * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversarys presence.
<!--
We can see that the compromise occurred because the threat actors infiltrated the network
and replaced source code files during build time.
This is clearly something we could have prevented by using determinism.
* Ensuring that all our build time dependencies are reviewed and built deterministically
* Ensuring that our commits are signed (additional protection)
* Ensuring that the final result is determnistic
If Solar Winds deployed a secondary runner in an isolated environment that's pull only,
it's nearly impossible they would not notice that something is amuck in their final
release build. In fact if any developer built the code locally, they would have noticed
that something is not lining up.
TODO create graph illustrating what their deployment pipeline likely looks today
TODO create graph of what it would look like with multi reproduction
-->
---
# **What's Next?** # **What's Next?**
Packaging more software Packaging more software